From 94a2ce426fc36a6c82411a331bb18bf129c6d014 Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@nginx.com>
Date: Thu, 7 Jun 2018 11:47:10 +0300
Subject: [PATCH] HTTP/2: validate client request scheme.

The scheme is validated as per RFC 3986, Section 3.1.
---
 src/http/v2/ngx_http_v2.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 77ebb8474..a35140cf6 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -3474,6 +3474,9 @@ ngx_http_v2_parse_method(ngx_http_request_t *r, ngx_str_t *value)
 static ngx_int_t
 ngx_http_v2_parse_scheme(ngx_http_request_t *r, ngx_str_t *value)
 {
+    u_char      c, ch;
+    ngx_uint_t  i;
+
     if (r->schema_start) {
         ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
                       "client sent duplicate :scheme header");
@@ -3488,6 +3491,26 @@ ngx_http_v2_parse_scheme(ngx_http_request_t *r, ngx_str_t *value)
         return NGX_DECLINED;
     }
 
+    for (i = 0; i < value->len; i++) {
+        ch = value->data[i];
+
+        c = (u_char) (ch | 0x20);
+        if (c >= 'a' && c <= 'z') {
+            continue;
+        }
+
+        if (((ch >= '0' && ch <= '9') || ch == '+' || ch == '-' || ch == '.')
+            && i > 0)
+        {
+            continue;
+        }
+
+        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                      "client sent invalid :scheme header: \"%V\"", value);
+
+        return NGX_DECLINED;
+    }
+
     r->schema_start = value->data;
     r->schema_end = value->data + value->len;